Posted
by
Soulskill
on Monday December 20, 2010 @09:04PM
from the barn-doors-and-horses dept.

Trailrunner7 writes "After a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords, the online media company's chief technology officer has announced new defense strategies aimed at placating their users and preventing further humiliating data breaches. Thomas Plunkett issued a company-wide memo on Friday that lays out the new security measures and suggests the company overlooked security concerns in the rush to develop new features."

Plunkett should be sacked because he is ultimately responsible for his team.

Right now Gawker needs him because he (probably) knows more about their systems than anyone. I'm sure in time there will be an announcement that he's decided to resign to spend more time with his family.

Actually, they weren't stored encrypted either - a hash to the password was stored.

The problem with using the hash method and length used (the old default for Unix, Unix-like systems and Apache) is that it's vulnerable against rainbow tables -- someone with LOTS of disk space and 4096 rainbow table databases (one for each possible salt) could quickly find a usable password for every hash.

But against dictionary attacks, permutations of known data, and brute force, it doesn't matter how strong the hash is. A

Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

Which is both reprehensible of them and false. Their poor choice of algorithm literally truncated my sixteen character password to an eight character one. When I logged in to change mine I did so with just the front half.

While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone. And they certainly haven't reprimanded their users for 'weak' passwords. The truth of the matter is that users who had passwords that were unique to their Gawker account (a practice we all know is the smart way to go, right?) only had to

"The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack" -- in a way that is not a lie and not critizing their users, but it does give the impression that the users actually had a choice to secure their account. Reality is that with gawkers password scheme that was not possible.

While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone.

This is the same bullshit, "We can't actually say this, but we will hint at, imply, and suggest it in every possible way until you believe it" strategy that Fox News has mastered so well. The plain fact, of course, is that Gawker is to blame for the breach of their users' passwords, weak and strong alike. They want desperately to have those users start thinking along different lines and sadly, it appears to be working.

Except for the fact that many of the other sites/services for which I use my email address have gone into the leaked torrent, found my email address, and locked my account and forced me to change my password, even though I haven't used the same password amongst the sites. I've spent the last week getting locked out of various places and having to come up with all new passwords

They are a giant precisely because they are the force behind a fairly diverse range of sites, all of which are big names in their respective fields. You may not have heard the name 'Gawker Media', and I don't expect valleywag or Jezebel to come up on most Slashdotters' daily rotation, but Gizmodo gets linked here (either in stories or comments) fairly regularly.

There's a good chance you've been to one of their sites before. Gizmodo, Kotaku, Lifehacker, and io9 are their bigger ones I can recall -- I'm sure there are others. I personally read Gizmodo and io9 quite often, though I've never made an account with them.

In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords.

They are still blaming bugs in code. Pretending to be mistakes made by low level programming flunkies. The problem was using an unsalted hash that allowed them to do a simple dictionary attack. Further even the top guys were using very simple passwords. Used the same password for multiple accounts. Continued to leave other accounts and usernames unlocked even after knowing one account using that password has been compromised.

No. The real problem was that the managers and the top dogs drawing top salaries were clueless idiots. Pretending that it was some kind of stupid bug left in code by some low level programmer shows how disconnected these bozos are from reality.

Did you read the readmes in the torrent? The attackers claim that they took DAYS to download those passwords. That traffic didn't look unusual to anyone? Should any system anywhere that isn't either migrating that database or backing it up be looking at more than a couple of passwords in any short span of time? Regardless, this didn't draw any attention.
Bug or not, there's not really any excuse here.

If their claims to be consulting an "independent security firm" are true, then it appears they also realize they're incompetent and are bringing in outside help to school them on proper security.

We've learned many lessons from this experience, both as a tech team, as a company, and as individuals. If there's one lesson nearly all of us learned, it's that we can and must be smarter with passwords. Lifehacker is a great resource for password advice (and there are many others). I suggest you start here: http://lifehacker.com/184773/geek-to-live [lifehacker.com]-choose-and-remember-great-passwords.

It seems they're at least beginning to learn, though.

They also mention that they're going to let users use OAuth to log in. It's not clear if they'll be moving all accounts to OAuth, or if they're going to keep using unsalted crypt() for users who want to keep their account local.

I'm not disagreeing with you that there were multiple failures at multiple levels of the management chain.

But wouldn't using an unsalted hash vulnerable to dictionary attacks be the mistake of "low-level programming flunkies?" Why should any management-level people know what the hell a hash or a salt is, much less be micromanaging their programmers to that extent? Isn't that why you hire coders in the first place -- for their expertise in doing things the right way?

The problem usually comes down to this:A) Pay a decent, well reputable, knowledgeable coder $$$$ for his time to develop a website.

or

B) Pay some outsourced company $$ for their time to develop a website.

Most management usually goes for B. It generally makes them "look better" because it can "get the job done", they can "save money". Security is an afterthought to almost all management levels. The only reason that Gawker's management is even anything close to concerned now is because it's going to cut into a

I have heard this manta repeatedly endlessly by PHBs, "security has no ROI."

With an attitude like this, it gets surprising that these breaches are not even more commonplace. Of course, there will be no long term consequences for the poor security, except what happens to the users.

I hate calling for regulation [1], but it may take governments stepping in and people going to jail before businesses actually pay more than token attention to security.

Elaborating on this, why not have the password checks be done do an isolated SQL server replicating a read-only table? Then for the password queries, have this be a function of the database, where there is an inserted delay between checks. This way, each user might wait an additional half second to second before logging which isn't that big a deal for them. However, someone who compromised the webserver wouldn't just be able to dump the database en masse, but name by name with 500 ms between each.

"The tech team should have been better prepared, committed more time to perform thorough audits, and grown our team’s technical expertise to meet our specific business needs."

We have the exact same problem with an internet-connected application where I work - plaintext passwords. All of the developers have pointed out that it's a problem to business, but they think it's a feature because it allows them to read passwords back to customers who've lost them, or send them a welcome e-mail with their password. No matter how much we whinge and bitch that it's wrong and you can send users new passwords with hashed or encrypted password systems they won't budge and refuse to sp

Is part of the strategy to force users to change their password every month so they can write it down or reuse it and make it just secure enough to pass validation? This kind of crap is happening at work and forces me to use crappy passwords! Thanks security consultants!

I never heard of Gawker, but I received email from them telling me that my account was compromised. I just went to their site, entered my email and asked for a password reset. I got a reply with a username I don't recognize. When I logged in with the id and password, I got an error message that said I had never "verified" my account.

I'd say they have some serious problems that go beyond the password hack.

Actually, ditto. Also, I've read Lifehacker for some time. It isn't exactly like SunTzuWarmaster is a username that has been ever taken... why would Gawker, of all places, have a username that I have never heard of?

It turns out that Gawker has a "Chief Technology Officer". However, if you read this article from Forbes [forbes.com], it makes you wonder what this guy actually did, other than show up and collect a paycheck.

It would've been more secure for employees to write them down. Then they only have to worry about their spouse, kids, plumber and people who get to see the house office. If they have a real office, it's still limited to employees and finding out who the Evil One is after something like this shouldn't be that hard. Writing down passwords on post-its isn't that big of a problem.

I may be wrong, but it appears that when you try to delete your account, they don't actually get rid of the information, they just make it inaccessible to you. I guess they'd prefer not to offend all the advertisers they whored your personal information out to.

That wouldn't have helped here, my understanding is that the password were hashed but not salted. So once the hackers had downloaded the hashed password all they had to do was compare the resulting hash strings with a database with precompiled password hashes (Lookup Rainbow Tables).

For example, using MD5 hashing. password always comes out as 5f4dcc3b5aa765d61d8327deb882cf99 so if you ever see that string in a password file, you know the user password = password.